sb/intel/bd82x6x: Revise flash ROM lockdown options

The original options were named and described under the false assumption that the chipset lockdown would only be executed during S3 resume. Fix that. Change-Id: I435a3b63dd294aa766b1eccf1aa80a7c47e55c95 Signed-off-by: Nico Huber <nico.h@gmx.de> Reviewed-on: https://review.coreboot.org/21327 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Rudolph <siro@das-labor.org>
2017-09-01 23:28:14 +02:00 · 2017-09-01 23:28:14 +02:00 · 2ac149d294
parent 7eb0157fca
commit 2ac149d294
2 changed files with 29 additions and 20 deletions
--- a/src/southbridge/intel/bd82x6x/Kconfig
+++ b/src/southbridge/intel/bd82x6x/Kconfig
@ -75,29 +75,37 @@ endif
 if SOUTHBRIDGE_INTEL_BD82X6X || SOUTHBRIDGE_INTEL_C216 || SOUTHBRIDGE_INTEL_IBEXPEAK
 choice
-	prompt "Flash ROM locking on S3 resume"
+	prompt "Flash locking during chipset lockdown"
-	default LOCK_SPI_ON_RESUME_NONE
+	default LOCK_SPI_FLASH_NONE
-config LOCK_SPI_ON_RESUME_NONE
+config LOCK_SPI_FLASH_NONE
-	bool "Don't lock ROM sections on S3 resume"
+	bool "Don't lock flash sections"
-config LOCK_SPI_ON_RESUME_RO
+config LOCK_SPI_FLASH_RO
-	bool "Lock all flash ROM sections on S3 resume"
+	bool "Write-protect all flash sections"
 	help
-	  If the flash ROM shall be protected against write accesses from the
+	  Select this if you want to write-protect the whole firmware flash
-	  operating system (OS), the locking procedure has to be repeated after
+	  chip. The locking will take place during the chipset lockdown, which
-	  each resume from S3. Select this if you never want to update the flash
+	  is either triggered by coreboot (when INTEL_CHIPSET_LOCKDOWN is set)
-	  ROM from within your OS. Notice: Even with this option, the write lock
+	  or has to be triggered later (e.g. by the payload or the OS).
 	  has still to be enabled on the normal boot path (e.g. by the payload).
-config LOCK_SPI_ON_RESUME_NO_ACCESS
+	        NOTE: If you trigger the chipset lockdown unconditionally,
-	bool "Lock and disable reads all flash ROM sections on S3 resume"
+	        you won't be able to write to the flash chip using the
 	        internal programmer any more.
 config LOCK_SPI_FLASH_NO_ACCESS
 	bool "Write-protect all flash sections and read-protect non-BIOS sections"
 	help
-	  If the flash ROM shall be protected against all accesses from the
+	  Select this if you want to protect the firmware flash against all
-	  operating system (OS), the locking procedure has to be repeated after
+	  further accesses (with the exception of the memory mapped BIOS re-
-	  each resume from S3. Select this if you never want to update the flash
+	  gion which is always readable). The locking will take place during
-	  ROM from within your OS. Notice: Even with this option, the lock
+	  the chipset lockdown, which is either triggered by coreboot (when
-	  has still to be enabled on the normal boot path (e.g. by the payload).
+	  INTEL_CHIPSET_LOCKDOWN is set) or has to be triggered later (e.g.
 	  by the payload or the OS).
 	        NOTE: If you trigger the chipset lockdown unconditionally,
 	        you won't be able to write to the flash chip using the
 	        internal programmer any more.
 endchoice
--- a/src/southbridge/intel/bd82x6x/finalize.c
+++ b/src/southbridge/intel/bd82x6x/finalize.c
@ -25,12 +25,13 @@ void intel_pch_finalize_smm(void)
 	u16 tco1_cnt;
 	u16 pmbase;
-	if (CONFIG_LOCK_SPI_ON_RESUME_RO || CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS) {
+	if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_RO) ||
 	    IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS)) {
 		/* Copy flash regions from FREG0-4 to PR0-4
 		   and enable write protection bit31 */
 		int i;
 		u32 lockmask = (1 << 31);
-		if (CONFIG_LOCK_SPI_ON_RESUME_NO_ACCESS)
+		if (IS_ENABLED(CONFIG_LOCK_SPI_FLASH_NO_ACCESS))
 			lockmask |= (1 << 15);
 		for (i = 0; i < 20; i += 4)
 			RCBA32(0x3874 + i) = RCBA32(0x3854 + i) | lockmask;